Tellius
Tellius 5.5
Tellius 5.5
  • 🚩Getting Started
    • 👋Say Hello to Tellius
      • Glossary
      • Tellius 101
      • Navigating around Tellius
    • ⚡Quick Start Guides
      • Search
      • Vizpads (Explore)
      • Insights (Discover)
    • ✅Best Practices
      • Search
      • Vizpads (Explore)
      • Insights (Discover)
      • Predict
      • Data
    • ⬇️Initial Setup
      • Tellius architecture
      • System requirements
      • Installation steps for Tellius
      • Customizing Tellius
    • Universal Search
    • 🏠Tellius Home Page
    • ❓FAQs
      • Kaiya Conversational AI
      • Data Preparation FAQs
      • Environment FAQs
      • Search FAQs
      • Vizpads FAQs
      • Data Caching FAQs
      • Embedding FAQs
      • Insights FAQs
  • Kaiya
    • ♟️Understanding AI Agents & Agentic Flows
      • Glossary
      • Composer
      • 🗝️Triggering an agentic workflow
      • The art of possible
    • 🤹Kaiya conversational AI
      • Triggering Insights with "Why" questions
      • Mastering Kaiya conversational AI
      • 📒Kaiya Learnings
      • Kaiya Terms of Service
  • 🔍Search
    • 👋Get familiar with our Search interface
    • 🤔Understanding Tellius Search
    • 📍Search Guide
    • 🚀Executing a search query
      • Selecting a Business View
      • Typing a search query
      • Constructing effective search queries
      • Marketshare queries
    • 🔑Analyzing search results
      • Understanding search results
      • Search Inspector
      • Time taken to execute a query
      • Interacting with the resulting chart
    • 📊Know your charts in Tellius
      • Understanding Tellius charts
      • Variations of a chart type
      • Building charts from Configuration pane
      • List of chart-specific fields
      • Adding columns to fields in Configuration pane
      • Absolute and percentage change aggregations
      • Requirements of charts
      • Switching to another chart
      • Formatting charts
      • Advanced Analytics
      • Cumulative line chart
    • 🧑‍🏫Help Tellius learn
    • 🕵️‍♂️Search history
    • 🎙️Voice-driven search
    • 🔴Live Query mode
  • 📈Vizpads (Explore)
    • 🙋Meet Vizpads!
    • 👋Get familiar with our Vizpads
    • #️⃣Measures, dimensions, date columns
    • ✨Creating Vizpads
    • 🌐Applying global filters
      • Filters in multi-BV Vizpads
      • Filters using common columns
    • 📌Applying local filters
    • 📅Date picker in filters
      • Customizing the calendar view
    • ✅Control filters
      • Multi-select list
      • Single-select list
      • Range slider
      • Dropdown list
    • 👁️Actions in View mode
      • Interacting with the charts
      • Exporting tables
    • 📝Actions in Edit mode
      • 🗨️Viz-level actions
      • Copy to Clipboard
    • 🔧Anomaly management for line charts
      • Instance level
      • Vizpad level
      • Chart level
    • ⏳Time taken to load a chart
      • Instance level
      • Vizpad level
      • Chart level
    • ♟️Working with sample datasets
    • 🔁Swapping Business View of charts
      • Swapping only the current Vizpad
      • Swapping multiple objects
      • Configuring the time of swap
    • 🤖Explainable AI charts
  • 💡Insights (Discover)
    • 👋Get familiar with our Insights
    • ❓Understanding the types of Insights
    • 🕵️‍♂️Discovery Insights
      • Impact Calculation for Top Contributors
    • ➕How to create new Insights
      • 🔛Creating Discovery Insight
      • 🔑Creating Key Driver Insights
      • 〰️Creating Trend Insights
      • 👯Creating Comparison Insights
    • 🧮The art of selecting columns for Insights
      • ➡️How to include/exclude columns?
  • 🔢Data
    • 👋Get familiar with our Data module
    • 🥂Connect
    • 🪹Create new datasource
      • Connecting to Oracle database
      • Connecting to MySQL database
      • Connecting to MS SQL database
      • Connecting to Postgres SQL database
      • Connecting to Teradata
      • Connecting to Redshift
        • Access S3 Data with Redshift Spectrum
      • Connecting to Hive
      • Connecting to Azure Blob Storage
      • Connecting to Spark SQL
      • Connecting to generic JDBC
      • Connecting to Salesforce
      • Connecting to Google cloud SQL
        • Connecting to a PostgreSQL cloud SQL instance
        • Connecting to an MSSQL cloud SQL instance
        • Connecting to a MySQL Cloud SQL Instance
      • Connecting to Amazon S3
      • Connecting to Google BigQuery
        • Steps to connect to a Google BigQuery database
      • Connecting to Snowflake
        • OAuth support for Snowflake
        • Integrating Snowflake with Azure AD via OAuth
        • Integrating Snowflake with Okta via OAuth
        • Azure PrivateLink
        • AWS PrivateLink
        • Best practices
      • Connecting to Databricks
      • Connecting to Databricks Delta Lake
      • Connecting to an AlloyDB Cluster
      • Connecting to HDFS
      • Connecting to Looker SQL Interface
      • Loading Excel sheets
      • 🚧Understanding partitioning your data
    • ⏳Time-to-Live (TTL) and Caching
    • 🌷Refreshing a datasource
    • 🪺Managing your datasets
      • Swapping datasources
    • 🐣Preparing your datasets
      • 🤾Actions that can be done on a dataset
      • Data Pipeline
      • SQL code snippets
      • ✍️Writeback window
      • 🧩Editing Prepare → Data
      • Handling null or mismatched values
      • Metadata view
      • List of icons and their actions
        • Functions
        • SQL Transform
        • Python Transform
        • Standard Aggregation
        • Creating Hierarchies
      • Dataset Scripting
      • Fusioning your datasets
      • Scheduling refresh for datasets
    • 🐥Preparing your Business Views
      • 🌟Create a new Business View
      • Creating calculated columns
      • Creating dynamic parameters
      • Scheduling refresh for Business Views
      • Setting up custom calendars
      • Custom Calendars for Live Connections
    • Tellius Engine: Comparison of In-Memory vs. Live Mode
    • User roles and permissions
    • Refresh pipeline
  • Feed
    • 📩What is a Feed in Tellius?
    • ❗Alerts on the detection of anomalies
    • 📥Actions done on a tracking Feed
    • 🖲️Track a new metric
  • Assistant
    • 💁Introducing Tellius Assistant
    • 🎤Voice-based Assistant
    • 💬Interacting with Assistant
    • ↖️Selecting Business View
  • Embedding Tellius
    • What you should know before embedding
    • Embedding URL
      • 📊Embedding Vizpads
        • Apply and delete filters
        • Vizpad-related actionTypes
        • Edit, save, and share a Vizpad
        • Keep, remove, drill sections
        • Adding a Viz to a Vizpad
        • Row-level policy filters
      • 💡Embedding Insights
        • Creating and Viewing Insights
      • 🔎Embedding Search
        • Search query execution
      • Embedding Assistant
      • 🪄Embedding Kaiya
      • Embedding Feed
  • API
    • Insights APIs
    • Search APIs
    • Authentication API (Login API)
  • ✨What's New
    • Release 5.5
    • Release 5.4
      • Patches 5.4.0.1 to 5.4.0.4
      • Patch 5.4.0.5
      • Patch 5.4.1
      • Patches 5.4.1.1 and 5.4.1.2
    • Release 5.3
      • Patch 5.3.1
      • Patch 5.3.2
      • Patch 5.3.3
    • Release 5.2
      • Patch 5.2.1
      • Patch 5.2.2
    • Release 5.1
      • Patch 5.1.1
      • Patch 5.1.2
      • Patch 5.1.3
    • Release 5.0
      • Patch 5.0.1
      • Patch 5.0.2
      • Patch 5.0.3
      • Patch 5.0.4
      • Patch 5.0.5
    • Release 4.3 (Fall 2023)
      • Patch 4.3.1
      • Patch 4.3.2
      • Patch 4.3.3
      • Patch 4.3.4
    • Release 4.2
      • Patch 4.2.1
      • Patch 4.2.2
      • Patch 4.2.3
      • Patch 4.2.4
      • Patch 4.2.5
      • Patch 4.2.6
      • Patch 4.2.7
    • Release 4.1
      • Patch 4.1.1
      • Patch 4.1.2
      • Patch 4.1.3
      • Patch 4.1.4
      • Patch 4.1.5
    • Release 4.0
Powered by GitBook

© 2025 Tellius

On this page
  • What is an AWS PrivateLink?
  • Pre-requisites
  • Steps to follow (on Snowflake side)
  • Steps to follow (On AWS Side)
  • Points to remember
  • Reference

Was this helpful?

  1. Data
  2. Create new datasource
  3. Connecting to Snowflake

AWS PrivateLink

What is an AWS PrivateLink?

AWS PrivateLink is an AWS service (supported by Snowflake) that allows you to create private VPC (Virtual Private Clouds) endpoints for direct, secure connectivity between your AWS VPCs and the Snowflake VPC without going through the public internet. A maximum of five PrivateLinks can be enabled in your environment. This document outlines the steps to configure Snowflake-AWS PrivateLink.

Pre-requisites

To configure Snowflake-AWS PrivateLink, you must have the following:

  • Access to an AWS account with permissions to create VPC endpoints and DNS Hosted Zones.

  • Access to a Snowflake account with ACCOUNTADMIN permissions.

Steps to follow (on Snowflake side)

  1. Login to your Snowflake account with ACCOUNTADMIN permissions and run the following command, using the federation token output from Step 1 on AWS side. This command authorizes Snowflake to access your AWS resources.

use role accountadmin;
# update 185 with 12-digit identifier of AWS Account
# update second argument with JSON from step 2

select system$authorize_privatelink (
    '185...',
    '{
       "Credentials": 
       {
           "AccessKeyId": "ASI...",
           "SecretAccessKey": "enw...",
           "SessionToken": "Fwo...",
           "Expiration": "2021-01-07T19:06:23+00:00"
       },

       "FederatedUser": {
           "FederatedUserId": "185...:sam",
           "Arn": "arn:aws:sts::185...:federated-user/sam"
       },
       "PackedPolicySize": 0
    }'
  );

2. On the Snowflake worksheet, run and save the output of the following command. It provides the necessary configurations to enable internal stages on Snowflake.

select SYSTEM$GET_PRIVATELINK_CONFIG();

3. Run the following command to enable internal stages on Snowflake and display the configuration settings:

use role accountadmin;
alter account set enable_internal_stages_privatelink = true;
select key, value from table(flatten(input=>parse_json(system$get_privatelink_config())));

Steps to follow (On AWS Side)

Please note that if Tellius is hosting the infrastructure, then the Tellius team will take care of all the following steps. Contact support@tellius.com for further assistance.

  1. Creating a new user needs to be created on AWS with this policy attached via a group.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:GetSessionToken",
                "sts:GetFederationToken",
                "sts:GetAccessKeyInfo",
                "sts:GetCallerIdentity",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

Using the AWS access credentials created for this account, you can set up AWS CLI and then run the following command to retrieve temporary security credentials to authorize Snowflake to access AWS resources.

aws sts get-federation-token --name tellius-sf-01
  1. Create a VPC Endpoint on the AWS console for tunneling PrivateLink endpoints. Enter the resource ID of privatelink-vpce-id from the saved JSON and click verify and create.

  1. Create a private DNS Hosted Zone in AWS Route53 on the same VPC as the Kubernetes cluster/instance. This can be the same as the node groups VPC, subnet, and Security Group.

  1. Add CNAMEs for the URLs printed in the JSON using the following format:

  • Record type: CNAME

  • Name: <repeat n from JSON>

  • Address: <DNS Name of VPC Endpoint from the previous step>

  • TTL: 30 seconds

  1. In the AWS Console, navigate to the EC2 dashboard and click on Security Groups in the left-hand navigation panel.

  2. Click on the Create Security Group button and create a new security group with inbound and outbound rules that allow traffic from the VPC endpoint security group to the appropriate node group of the Kubernetes cluster for ports 80 and 443.

  3. With these steps, you should now have a fully functional Snowflake-AWS PrivateLink environment that allows you to securely access data from Snowflake through a private network connection.

Note that you may need to grant appropriate permissions to users and roles in order to access the new stage. It can be done by using the GRANT command in Snowflake.

Points to remember

  1. Make sure that the security groups of both VPC endpoints contain inbound and outgoing rules to the proper Kubernetes cluster node group for ports 80 and 443.

  2. When creating the VPC endpoint, make sure to select the VPC and subnet where your Kubernetes cluster/instance is running, and also make sure to choose the appropriate security group that allows traffic from the Kubernetes cluster.

  3. When creating the private DNS-hosted zone, make sure to choose the same VPC as the Kubernetes cluster/instance and add CNAME records for all the URLs printed in the JSON output from Step 2.

  4. When creating the VPC endpoint for tunneling PrivateLink endpoints, make sure to select the appropriate resource ID of the endpoint and verify the settings before creating.

  5. Also, note that Snowflake charges additional fees for using PrivateLink, and it is important to review the pricing and billing documentation to understand the costs associated with using this feature.

Reference

The exact steps may vary depending on your specific setup, and it is important to consult the official Snowflake and AWS documentation for detailed instructions and best practices.

PreviousAzure PrivateLinkNextBest practices

Last updated 5 months ago

Was this helpful?

🔢
🪹
https://docs.snowflake.com/en/user-guide/admin-security-privatelink.html#configuring-your-aws-vpc-environment
https://docs.snowflake.com/en/user-guide/private-internal-stages-aws.html
Creating a VPC endpoint
Adding CNAMEs for the URLs